---
title: "AI Gets Personal: CCPA vs. GDPR on Automated Decision-Making"
type: source
tags: [gdpr, gdpr-article-22, ccpa, automated-decision-making, profiling, jurisdiction-comparison, schufa, legal, regulatory-risk]
authors: [Okan Ilke]
year: 2025
venue: "Berkeley Technology Law Journal Blog (BTLJ Blog) — UC Berkeley School of Law, 25 April 2025"
kind: webpage
raw_path: "raw/Legal/2025-okan-btlj-blog-ccpa-vs-gdpr-automated-decision-making.pdf"
created: 2026-04-27
updated: 2026-04-27
key_claims:
  - The proposed CCPA rules on Automated Decision-Making Technologies (ADMTs) and GDPR Article 22 diverge on three structural axes — consent regime (opt-out vs opt-in), right to explanation/appeal (conditional vs unconditional), and scope/exceptions (carve-outs vs broad coverage).
  - GDPR Art. 22(3) provides an *unconditional* right to human review and explanation; CCPA § 7221(b) makes the right to appeal conditional on the company also offering opt-out — an "either-or" tradeoff that weakens the consumer position.
  - The CCPA's narrowed ADMT definition (§ 7001(f)) covers only tools that *replace human judgment* or are a *key factor* in significant decisions, excluding mere assistive systems — narrower than GDPR's "solely or significantly automated" framing.
  - CJEU's *SCHUFA* judgment (Case C-634/21) confirms that automated credit scores qualify as ADM under Art. 22 GDPR, triggering the full safeguards (explanation, human review, contest) — strong jurisprudential anchor for the EU regime.
  - Cross-jurisdiction divergence creates *regulatory arbitrage* risk — companies may exploit weaker rules in one jurisdiction to avoid accountability in another. Harmonising standards around consumer rights, transparency, and risk mitigation would reduce friction and enforcement gaps.
---

# Okan 2025 — AI Gets Personal: CCPA vs. GDPR on Automated Decision-Making

Berkeley Technology Law Journal **Blog** post by Ilke Okan (LL.M.), 25 April 2025. Comparative analysis of the proposed California CCPA rules on Automated Decision-Making Technologies (ADMTs) against [[concepts/gdpr-article-22|GDPR Article 22]]. **Useful in the legal-risk cluster as the cross-jurisdictional anchor** — for any organisation operating in both EU and US markets, the divergences mapped here are the operational risk surface.

## What the CCPA proposed rules introduce

The California Privacy Protection Agency (CPPA) is amending the CCPA to specifically regulate ADMTs. Key provisions:

- **§ 7001(f)** — narrowed ADMT definition: only tools that *replace human judgment* or are a *key factor* in significant decisions, excluding systems that merely assist human input.
- **§ 7220(c)** — pre-use notices when ADMTs are used for impactful decisions (hiring, loans), explaining how the system works and what rights apply.
- **§ 7150(b) and § 7153** — internal risk assessments (especially when profiling is involved); third-party information-sharing in plain language.
- **§ 7220** — privacy-policy updates informing consumers of opt-out rights for high-stakes ADMT use.
- **§ 7221** — opt-out right under specified conditions; opt-out *not available* under § 7200 for fraud prevention, hiring, or educational profiling — exactly the high-impact areas where ADMTs matter most.

## Three structural divergences from GDPR Art. 22

### 1. Consent regime: Opt-out vs opt-in

- **GDPR Art. 22(1)** — *opt-in* regime. The data subject has a right *not to be subject* to solely automated decisions producing legal/significant effects, *unless* there is explicit consent, contractual necessity, or Member-State law authorisation.
- **CCPA § 7221** — *opt-out* regime. Consumers can choose not to have their data used in ADMTs, but only under specified circumstances. § 7200 carves out fraud prevention, hiring, and educational profiling from the opt-out — these high-impact contexts have **no opt-out option**.
- **Implication:** the GDPR's default is *no automated decisioning* (without explicit basis); the CCPA's default is *automated decisioning is allowed* (with limited exit). This shifts compliance burdens and litigation exposure dramatically.

### 2. Right to explanation and appeal: unconditional vs conditional

- **GDPR Art. 22(3)** provides an *unconditional* right to obtain human intervention, express POV, and contest the decision. Recital 71 adds the right to an explanation of the decision reached.
- **CCPA § 7221(b)** makes the right to appeal *conditional* — companies are not required to offer appeal unless they also deny the opt-out option. This "either-or" tradeoff undermines the consumer's ability to challenge opaque systems.
- The author argues this leaves consumers "vulnerable to automated errors or discrimination."

### 3. Scope and exceptions

- **GDPR** casts a broad net — applies to *any* fully automated decision-making process producing legal or similarly significant effects. Few exceptions.
- **CCPA** has multiple carve-outs — e.g. ADMT used solely for *training purposes* is excluded even though it still involves processing personal data.
- **Sensitive data**: GDPR treats biometric, health, and other special-category data with *heightened* protection (Art. 9). CCPA's current draft does not clearly adopt a layered approach for sensitive categories.

## CJEU enforcement anchor: SCHUFA

The author highlights **SCHUFA (CJEU Case C-634/21)** — Europe's highest court held that automated credit scores used to assess individuals' eligibility for services qualify as automated decision-making under [[concepts/gdpr-article-22|Article 22 GDPR]], because the scores significantly shape contractual outcomes. Consequences:

- Data subjects entitled to **safeguards**: explanation, human review, right to contest the decision.
- Strong precedent for "complex, third-party scoring systems" — the typical AI-pipeline architecture in BPM/finance.
- Demonstrates that strong ADMT protections can shape corporate behaviour and clarify obligations even when scoring is performed by third-party vendors.

## Why alignment matters — the regulatory-arbitrage argument

- Many companies subject to CCPA are *also* subject to GDPR due to global digital commerce.
- Divergences increase compliance cost and create regulatory uncertainty.
- Companies either **over-comply** (waste resources) or **under-comply** (exposing themselves to enforcement, litigation, reputational fallout).
- Without harmonisation, weaker rules in one jurisdiction can be exploited to avoid accountability in another → **regulatory arbitrage** that undermines trust in privacy protections globally.
- The author argues many US companies already have GDPR-compliant frameworks (opt-in, human review, clear disclosures); aligning CCPA with these would reduce redundancy and improve enforcement.

## Critical read

- **Strength:** clear, structured cross-jurisdictional comparison anchored on the SCHUFA enforcement precedent. Useful for ADMT-heavy industries (finance, hiring, healthcare, education).
- **Limitation:** this is a *blog post* under the BTLJ banner, not a peer-reviewed BTLJ article — author is LL.M.-trained, not a professorial expert. Treat as orientation, not authority.
- **Currency:** the CCPA proposal was still in draft form at the time of writing; final rules may differ in important ways.
- **Missing dimension:** the piece does not address state-level US activity outside California (e.g. Colorado AI Act 2024, Texas TRAIGA 2025, NYC Local Law 144 on automated employment decision tools) — for a complete US-vs-EU map these would need separate sources.

## Connections

**Concepts:** [[concepts/gdpr-article-22]] · [[concepts/automated-decision-making]] · [[concepts/profiling]] · [[concepts/regulatory-arbitrage]]
**Authors:** [[entities/ilke-okan]]
**Related sources (in this wiki):** [[sources/gdpr-article-22-text]] · [[sources/2023-lazcoz-dehert-humans-in-gdpr-and-aia-governance]] (deeper EU-side doctrinal analysis) · [[sources/2025-navaie-iapp-engineering-gdpr-compliance-agentic-ai]]
**Syntheses:** [[syntheses/legal-risk-mapping-ai-process-automation]]

## Open follow-ups

- *SCHUFA* (CJEU C-634/21) was decided December 2023 — worth a dedicated source page given its load-bearing role in this and other sources.
- Final adopted CCPA ADMT rules (post-rulemaking) — the analysis here is on draft text; verify against the enacted text when needed.